[Spacewalk-list] automatically adding GPG keys to a host

Tue Dec 11 08:30:25 UTC 2012

On Mon, Dec 10, 2012 at 09:30:12PM +0000, Snyder, Chris wrote:
> I want to be able to take a host that is alredy registered to Spacewalk and add a new software channel to it and then have the related GPG key automatically installed on the host.  I'd really like this to NOT involve any human interaction at all, but it always seems to involve a human having to add the GPG key to the host manually somehow.
> 
> Here's what I'm currently trying:
> 
> I've got an (unsigned) RPM which drops various GPG keys into /etc/pki/rpm-gpg on my hosts.  (This seemed the simplest way to be able to add/update keys in the future on my hosts, but I'm not glued to this idea.) Next, I configured my Spacewalk software channels to use the GPG keys from that RPM, setting location as 'file:///etc/pki/rpm-gpg/blah....'.   Once I enable this software channel for a host, I would expect that when I push packages to my host from Spacewalk, the needed channel GPG key would automatically be added to the RPM keyring on the host.   That doesn't seem to be happening.  After scheduling some package to be installed on the host,  I run 'rhn_check -vv' (on the host) and I see the following error:
> 
> D: keyurl = file:///etc/pki/rpm-gpg/<RPM<file:///\\etc\pki\rpm-gpg\%3cRPM> KEY FILE>, isn't a known Red Hat key, so this will not be imported.  Manually import this key or set gpgcheck=0 in the RHN yum plugin configuration file
> 
> (This tells me that it is finding the correct GPG file as configured in the software channel, but it just doesn't like my key because I'm not Red Hat.)
> 
> I don't want to re configure my hosts to disable gpgcheck, and I can't find any way through Spacewalk to do the equivalent of 'yum -y'  (to auto-accept the key when prompted), so unless I'm really doing something wrong here, it doesn't look like I can simply add a host to a software channel and start pushing packages until a human goes to the host and either runs 'rpm -import <gpg file>' or some variation on 'yum -y install <some package from target channel'>.
> 

You can run remote command to do yum -y or rpm --import. For the
remote command, the remote command execution obviously has to be
enabled on the clients.

Other than that, you are actually hitting an important security
feature of the setup -- unless configured on the client, the client
will prevent you from installing unverified packages or run random
code.

The generic advice would be to generate your GPG key and import it
either during kickstart or while doing rhn_register, to lay the
groundwork for pushing stuff out using your packages, signed with your
key.

-- 
Jan Pazdziora
Principal Software Engineer, Satellite Engineering, Red Hat